The Orca Security Research Team has publicly uncovered vulnerabilities in two Amazon Web Services (AWS) tools that may have allowed unauthorized access to accounts and used to leak sensitive files. Both bugs have been fully patched.
The first bug that Orca called Superglue was an issue in AWS Glue that users could exploit to gain access to information that was maintained by other AWS Glue users.
Amazon Web Services (AWS) describes Glue as “a serverless data integration service that makes it easy to discover, prepare, and combine data for analytics, machine learning, and application development.” It’s fair to say that AWS customers use it to manage large amounts of data. So big, in fact, that AWS Glue users can store up to 1 million items for free.
“We were able to identify a feature in AWS Glue that could be exploited to obtain credentials for a role within the AWS service’s own account,” says Orca, “which gave us full access to the internal service API. .